RSA Advanced “Water Hole” Ghost AND Remote Access Trojan ~ Fun!

Lions at the Watering Hole – The “VOHO” Affair

As part of routine security research, the RSA Advanced Threat Intelligence Team identified a new hacking attack this week that uses a technique that we’ve termed “Watering Hole”.

In the new attack we’ve identified, which we are calling “VOHO”, the methodology relies on “trojanizing” legitimate websites specific to a geographic area which the attacker believes will be visited by end users who belong to the organization they wish to penetrate. This results in a wholesale compromise of multiple hosts inside a corporate network as the end-users go about their daily business, much like a lion will lie in wait to ambush prey at a watering hole.

The details of the attack are still developing, but what we are aware of so far is as follows:

The victim visits a compromised “watering hole” website

This website, through an injected JavaScript element, redirects the visiting browser to an exploit site.

This exploit site checks that the visiting machine is running a Windows operating system and a version of Internet Explorer, and then exploits the Java client on the visiting host, installing a “gh0st RAT” variant.

Gh0st RAT is a commonly observed Remote Access Trojan that historically has been used by APT attacker groups to perform surveillance and intelligence collection inside networks of interest. This particular type of operation was documented nicely in the Infowar Monitor’s paper, “Tracking GhostNet”.

Among other capabilities, the gh0st RAT malware has the ability to surreptitiously operate the webcams and microphones on compromised PCs.

Emerging Details:

In the VOHO campaign, the attacker compromised, likely through stolen FTP credentials, a number of legitimate websites. These websites generally served two geographic areas:

Massachusetts

Washington, DC

These legitimate websites are geared around commonly accessed services in these industry verticals:

Financial Services

Technology Services

Based on our initial analysis of server logs, this attack caused approximately 32,000 individual hosts to visit the attack site, inside over 4,000 unique organizations worldwide and across multiple industry verticals including:

State and Federal Government

Educational Institutions

Defense Industrial Base

Technology

If successfully compromised the gh0st RAT variant on the infected PC checks into a C2 site at: 58.64.155.59, an IP address located in China. This IP address has not historically been observed to be involved in malicious activity.

Communication occurs over ports 80, 443, and 53 and initial communication can be recognized via the presence of the string “HTTPS” in the initial payload, although the traffic is not valid HTTPS traffic.

While RSA’s efforts for this investigation are ongoing, individuals and organizations can determine their potential involvement in this attack by looking for traffic to either: 58.64.155.59 (which would originate from a compromised machine) or Torontocurling.com (which would originate from a machine going through the exploit system).

More information to come!

The RSA Advanced Threat Intelligence Team is a research and analysis organization focused on emerging, sophisticated threats globally. The RSA team is made up of Principal Researcher Alex Cox; Principal Technologist Jon McNeil; and Consulting Security Engineer Chris Harrington. The team is led by RSA Senior Threat Research and Intelligence Manager Will Gragido.